Security & Privacy

LaborWise is built with security as a priority. Union member data is sensitive, and every feature is designed to keep it protected.

Data Isolation

Every organization’s data is completely isolated. Users can only access data belonging to their own organization — there is no cross-organization data access at any level.

• All database queries are scoped to the authenticated user’s organization
• File storage is organized by organization with access controls
• Chat channels, documents, and records are all organization-scoped

Authentication

LaborWise uses industry-standard authentication:

• Single Sign-On (SSO) powered by Clerk with support for Google, Microsoft, and email/password
• Role-based access control with three roles: Admin, Representative, and Viewer
• Session management with automatic expiry and secure cookie handling

Role Permissions

File Security

• All uploaded files are stored in private storage buckets — files are never publicly accessible
• File downloads use short-lived signed URLs that expire automatically
• Uploads are validated for file type, extension, and size (10MB max)
• Accepted file types: PDF, Word, Excel, PowerPoint, text, CSV, and common image formats

Transport Security

• All traffic is encrypted with HTTPS/TLS
• HTTP Strict Transport Security (HSTS) is enabled with preload
• A strict Content Security Policy (CSP) prevents cross-site scripting attacks
• The application is not indexed by search engines

Email Security

• Email content is sanitized to prevent injection attacks
• SMTP credentials are configured per organization and stored securely
• Campaign emails include tracking only with organization consent

Custom Domain Support

Organizations using custom domains get the same security protections. Authentication is handled via secure handoff to the primary domain, with encrypted session tokens for the custom domain.

Reporting Security Issues

If you discover a security vulnerability, please contact us immediately at security@laborwise.io.